Bugtraq mailing list archives

Re: QPopper 4.0.x buffer overflow vulnerability

From: Harald Hellmuth <hh () hostserver de>
Date: Thu, 13 Mar 2003 08:12:47 +0100

On Tue, 11 Mar 2003 19:05:51 -0800
Randall Gellens <rg_public.1 () flagg qualcomm com> wrote:

The first I heard of the problem was this morning.  Was any notice 
sent to qpopper-bugs () qualcomm com or qpopper-patches () qualcomm com in 
advance of the posting here?  If so, please let me know the details 
so I can see what happened to the message.  If not, I'd like to know 
why.

A fixed Qpopper (version 4.0.5fc2) is available now at 
<ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>.  I plan on 
releasing 4.0.5 final tomorrow unless I hear of any problems with 
4.0.5fc2.

-- 
Randall Gellens
rg_public.1 () flagg qualcomm com
Opinions are personal;     facts are suspect;     I speak for myself only


Hello,

Yesterday(2003-03-12) I've sent the following email to qpopper-bugs () qualcomm com:

------------------------------ snip ---------------------------------------
Dear Sir or Madam,

Florian Heinz posted an exploit to gain shell access through qpopper. 
See http://nstx.dereference.de/snippets/qex.c.
The reason is an unterminated bufferstring in Qvsnprintf.

I looked at version 4.05fc2 and there is a change, but i think that
change  isn't correct.

/* From File common/snprintf.c */
if ( nSize == 0 && *p != '\0' )
    {
        *s = '\0';
        return -1;
    }
    else
        return ( (n-1) - nSize );


/* when string that should be written to the buffer fits exactly,
 * than there will  no Zero-Byte be written to buffer, cause the for
 * loop terminates when nSize is 0 and the terminating '\0' of p is not
 * copied to buffer ;-(
*/

Ithink, it should be written as :


if ( nSize || *p=='\0') 
   {
        *s++ = *p;
        return ( (n-1) - nSize );
    }
else{
       *s++ = '\0';
       return -1;
    }


Please excuse my bad english.

regards

Harald Hellmuth
------------------------------ snap ---------------------------------------

with best regards


-- 

Harald Hellmuth
E-Mail: hh () hostserver de

Current thread:

QPopper 4.0.x buffer overflow vulnerability Florian Heinz (Mar 11)
- Re: QPopper 4.0.x buffer overflow vulnerability Torsten Mueller (Mar 12)
  - Re: QPopper 4.0.x buffer overflow vulnerability Florian Heinz (Mar 12)
- Re: QPopper 4.0.x buffer overflow vulnerability Randall Gellens (Mar 12)
  - Re: QPopper 4.0.x buffer overflow vulnerability Florian Heinz (Mar 12)
  - Re: QPopper 4.0.x buffer overflow vulnerability Harald Hellmuth (Mar 13)
- Re: QPopper 4.0.x buffer overflow vulnerability Jaroslaw Zachwieja (Mar 12)
  - RE: QPopper 4.0.x buffer overflow vulnerability Jonathan A. Zdziarski (Mar 12)
- <Possible follow-ups>
- Re: QPopper 4.0.x buffer overflow vulnerability Jonas Frey (Mar 11)